One of the first tasks that I took on as an undergraduate, this idea for a signature-based engine for protocol identification started as a side project by Collin McMillan. I took ownership after he left TU and rewrote the engine in Python. The result is a library called pysand appropriate in part for backing a passive network monitor capable of identifying protocols regardless of port number using deep packet inspection.

We demonstrated a version of the tool at the FAA’s Computer Security Incident Response Center to great success. I wrote about it in my first full-length peer-reviewed publication (PDF), and later, with Cody Pollet,  added a multi-touch interface for visualizing network streams; we presented this work in a talk at DEFCON 17 (link) and in the poster session at USENIX Security.

I occasionally do a little bit of work to the network monitoring library, but it’s mostly for archival purposes at this point as there are now commercial tools that do what we did.


This work is based upon collaboration with:

  • Collin McMillan
  • Kevin Clark
  • Christopher Johnson
  • Dr. John Hale
  • Cody Pollet
  • Matt Young


      Source code repository